15.3 Using RSA transport keys

You can use RSA 2048-bit transport keys to secure the transfer of keys between systems.

The procedure is as follows:

  1. Create an RSA transport key.

    Use the Key Manager workflow to create a key of type Transport Key(ZMK), and select an Encryption Type of RSA2048.

    You can choose to create the key automatically in the database or in your HSM, if available. You cannot import a key of this type, and you cannot enter the key directly.

    See section 15.2.1, Transport keys.

  2. Export the public key.

    You do not need to have selected the Exportable option; the exportable attribute restricts only the export of the private key, while the public key is always exportable.

    The public key is a PEM (Privacy Enhanced Mail) format that encodes a SubjectPublicKeyInfo (rfc5280) that contains an RSA public key.

    For example:

    Copy
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4d1+POf0845xssbC44RL
    XkWMu00PJpG9QY62c17kJ21YMdcB0w0IXji+Y9kDxlbxw1XU+IJ/Z0ZDPsI/pPft
    1FZcytuX9p6L04Mi6u/gmbc3CDhnRkRxkKfGFlf1WoHUKWpgOesKV0xU4pZWW9B5
    k3gJryVBqIsJvr9M42DFkknOyrIPrk/MpRqWehW4rHuqNhUhdkf2ZHLXyC/D39gp
    CN7KWYOsNeiMK+n2/x4SgQot4C8uQcMoHR52j3y2BNreD8yevYiO/1XkQYBbqZV2
    m0FCQBU8DqY196tfJZc4mHfGZJYDCkP3WmDiISkxeNbHpyZnDHoVdBL/IBbqSQBf
    8QIDAQAB
    -----END PUBLIC KEY-----

    See section 15.3.1, Exporting RSA transport keys.

  3. Send the public key to the third party that holds the key you want to transport.

  4. The third party then uses the public key to encrypt the key.

    On a MyID system, you do this by selecting the Enter a Public Key option from the Transport key drop-down list on the Transport Key Selection dialog, then providing the public key from the PEM file and specifying the padding type you want to use on the encryption.

    For information on encrypting a key using the RSA public key using your own system instead of using MyID, see section 15.3.2, Encrypting a key using the RSA public key.

    The key is exported to a file that contains information on the public key used as a transport key, the encrypted key value, and the checksum. The file does not contain information on the padding used.

    See section 15.2.5, Exporting keys for details.

  5. The third party sends the exported key to you, along with details of what padding was used.

  6. You use the key ceremony option to import the key, selecting the RSA transport key related to the public key you provided to the third party.

    When you select an RSA transport key in the Key Ceremony dialog, an additional option appears, allowing you to specify the padding used.

    Enter the Encrypted Master Key, optionally the Check Value, and select the Padding Type that was used for the exported key.

    See section 15.2.6, Entering keys using a key ceremony (for keys managed using the Key Manager workflow) and section 7.3.2, Using a key ceremony (for GlobalPlatform keys managed using the Manage GlobalPlatform Keys workflow).

15.3.1 Exporting RSA transport keys

When you create a transport key and select RSA2048 as the Encryption Type, they key is automatically created in the database or in the HSM. To use the key, you must export the public key.

Note: You do not have to set the Exportable option on an RSA transport key; the exportable attribute restricts only the export of the private key, while the public key is always exportable.

To export the public key of an RSA transport key:

  1. From the Configuration category, select Key Manager.

  2. From the Select Key Type to Manage drop-down list, select Transport Key(ZMK) and click Next.

  3. Select the RSA transport key from the list.

  4. Click Export.

  5. Click OK.

  6. Type a name for the PEM file and select the location, then click Save.

    MyID saves the public key in a .pem (Privacy Enhanced Mail) format file.

  7. Click Continue.

15.3.2 Encrypting a key using the RSA public key

If you need to encrypt a key on a third-party system for transport to a MyID system, you can use standard encryption tools.

For example, to use openssl to encrypt a key using an RSA public key, use the following settings:

  1. Take your key, convert it to binary, and store it in a file.

  2. Run openssl on the binary key file to encrypt it using the public key stored in the .pem file.

    For example:

    openssl pkeyutl -in BinaryKeyFile.txt -out EncryptedKeyFile.txt -pubin -inkey RSAPublicKey.pem -keyform PEM -encrypt -pkeyopt rsa_padding_mode:pkcs1

    This example takes a binary key file BinaryKeyFile.txt, encrypts it using the public key stored in RSAPublicKey.pem using PKCS1 padding, and stores the resulting encrypted key in EncryptedKeyFile.txt.

    To use a different padding format, use the appropriate -pkeyopt options; for example:

    Padding type openssl encryption options
    PKCS1 -pkeyopt rsa_padding_mode:pkcs1
    OAEP_SHA1 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha1
    -pkeyopt rsa_mgf1_md:sha1
    OAEP_SHA256 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
    -pkeyopt rsa_mgf1_md:sha256
    OAEP_SHA384 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha384
    -pkeyopt rsa_mgf1_md:sha384
    OAEP_SHA512 -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha512
    -pkeyopt rsa_mgf1_md:sha512
  3. Take the content of the binary encrypted file, and convert it to hex.

  4. Send the encrypted hex key to the MyID system, along with details of which padding you used.